Episode III: Revenge of the React vulnerabilities
The React Server Components vulnerability was more persistent than initially anticipated, but the latest patch has eliminated the React2Shell exploit.
The fight against React2Shell is not over.
Just days after the initial disclosure of the critical Remote Code Execution (RCE) flaw, CVE-2025-55182, security researchers found that the initial patches were insufficient. This led to a new set of high-severity flaws in the same vulnerable component: React Server Components (RSC). In response to this CVE, we published a series of blog posts (see Part 1, which addresses Code Search for identifying code impacted by this CVE, and Part 2, which demonstrates how to apply the fix).
However, what appeared to be a resolved incident instead revealed a second wave of vulnerabilities triggered by incomplete fixes.
New disclosures: DoS and source code exposure
The new official disclosure from the React team confirms the existence of three new CVEs. These vulnerabilities affect the same core packages (react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack):
| Severity | Type | CVEs | Impact |
| High | Denial of Service (DoS) | CVE-2025-55184 , CVE-2025-67779 | Attackers can trigger an infinite loop by sending a malicious request, which can cause the server process to hang and result in system-wide outages. |
| Medium | Source Code Exposure | CVE-2025-55183 | Malicious requests can expose the source code of Server Functions, potentially leaking hardcoded secrets, such as credentials. |
Critical warning: The false patch
Many organizations patched to intermediate versions, which the React team has now confirmed are still vulnerable to the new DoS issues.
If you updated to versions 19.0.2, 19.1.3, or 19.2.2, you are still exposed.
Identifying all remaining vulnerabilities
To find every single repository using a vulnerable version, including the partially-patched ones, you need a precise and comprehensive Code Search query.
This updated regex targets any dependency lock between major version 19.0.0 and the last known unsafe patch, 19.2.2.
context: global file:package.json "react-server-dom-(webpack|parcel|turbopack)" :\s* "[~^]?(19\.[0-2]\.[0-2])" patterntype:regexp
Use Sourcegraph Code Search to run this query across your entire codebase and instantly generate a comprehensive list of projects that require remediation.
Final fix: Complete remediation at scale
The final, fully safe versions are: 19.0.3, 19.1.4, and 19.2.3. To address the newly disclosed React Server Components DoS and source exposure vulnerabilities (and to correct false-confidence upgrades), adapt this updated Batch Change spec and follow the instructions from Part 2 of this series to use the spec to apply a Batch Change across affected codebases. This version detects all partially patched React 19.x dependencies and automatically upgrades them to the final safe releases (19.0.3, 19.1.4, 19.2.3), ensuring complete remediation across your entire codebase.
Don't let the revenge of the React vulnerabilities catch you twice. Find the affected code, apply the definitive fix, and use Sourcegraph to ensure your victory.
Unblock your organization.
Ship faster.
With Sourcegraph, the code understanding platform for enterprise.
Schedule a demo